Michigan Medicine notifies patients of unauthorized access to patients’ medical information via health information exchanges

ANN ARBOR, Mich. — Michigan Medicine is notifying approximately 551 individuals about a privacy incident that may have involved their health information. 

On January 13, 2026, Michigan Medicine was notified by its electronic health record vendor, Epic Systems Corporation (“Epic”), about unusual activity involving third-party companies requesting patient records through a nationwide health information exchange connection. 

Based on information provided to us and an internal review, between March 12, 2026, and March 25, 2026, Michigan Medicine determined that one or more third-party companies may have obtained access to patient records through this exchange in circumstances that were not authorized, including instances where we could not confirm a treatment-related reason for the request.  

As a result of Epic’s review of the questionable activity in the exchange network, Epic filed a federal lawsuit in the U.S. District Court for the Central District of California against a company named “Health Gorilla” (and several other defendants) who Epic claims is responsible for the inappropriate accesses. The lawsuit contains allegations that these companies obtained access to patient records by misrepresenting themselves as legitimate health care providers by creating fictitious websites, shell companies, and sham provider numbers that allowed them to fraudulently obtain access to patient data. 

Unauthorized access occurred between October 18, 2023, and November 12, 2025. The information that was accessed may have included one or more of the following:

Demographic information (such as name, address, phone number, email address, date of birth, medical record number); clinical information (such as diagnoses, medications, allergies, test results, and treatment information); and health insurance information.

Social Security numbers were not included in the information Epic reported was exchanged through the exchange network.

Michigan Medicine is taking steps to help protect patients and reduce the risk of this happening again, including:

• working with Epic and the relevant exchange/network parties to identify and investigate the activity;

• monitoring the litigation initiated by Epic;

• reporting to and coordinating with regulators or other authorities as required.

"We treat patient health information with the same care as our patients – with respect, constant vigilance and attention to detail,” said Jeanne Strickland, Michigan Medicine Chief Compliance Officer.

“We will analyze this incident, review our safeguards and make changes if improvements are needed. We remain dedicated to protecting our patients’ privacy.” 

We believe the risk of identity or medical theft is low because no credit card, debit card, bank account, or Social Security Numbers were involved. However, we recommend that patients monitor insurance statements for any transactions related to care or services that have not actually been received. In our patient notice letters, we included ways to protect against identity theft. See https://www.usa.gov/identity-theft for more information. 

Notices were mailed to the affected patients or their personal representatives starting May 1, 2026. Those concerned about the breach who do not receive a letter may call the toll-free Assistance Line at 1-888-202-3478. Calls will be answered Monday through Friday, 9 a.m. to 9 p.m. (Eastern Time).